GNUnet 0.26.1

This is a bugfix release for gnunet 0.26.0. It fixes some regressions and minor bugs.

Links

• Source: https://ftpmirror.gnu.org/gnunet/gnunet-0.26.1.tar.gz ( https://ftpmirror.gnu.org/gnunet/gnunet-0.26.1.tar.gz.sig )
• Detailed list of changes: https://git.gnunet.org/gnunet.git/log/?h=v0.26.1
• NEWS: https://git.gnunet.org/gnunet.git/tree/NEWS?h=v0.26.1

The GPG key used to sign is: 3D11063C10F98D14BD24D1470B0998EF86F59B6A

Note that due to mirror synchronization, not all links may be functional early after the release. For direct access try https://ftp.gnu.org/gnu/gnunet/

The Debian Libre Live Images allows you to run and install Debian GNU/Linux without non-free software.

The general goal is to provide a way to use Debian without reliance on non-free software, to the extent possible within the Debian project.

One challenge are the official Debian live and installer images. Since the 2022 decision on non-free firmware, the official images for bookworm and trixie contains non-free software.

The Debian Libre Live Images project provides Live ISO images for Intel/AMD-compatible 64-bit x86 CPUs (amd64) built without any non-free software, suitable for running and installing Debian. The images are similar to the Debian Live Images distributed as Debian live images.

One advantage of Debian Libre Live Images is that you do not need to agree to the distribution terms and usage license agreements of the non-free blobs included in the official Debian images. The rights to your own hardware won’t be crippled by the legal restrictions that follows from relying on those non-free blobs. The usage of your own machine is no longer limited to what the non-free firmware license agreements allows you to do. This improve your software supply-chain situation, since you no longer need to consider their implication on your computing environment for your liberty, privacy or security. Inclusion of non-free firmware is a vehicle for xz-style attacks. For more information about the advantages of free software, see the FSF’s page on What is Free Software?.

Enough talking, show me the code! Err, binaries! Download images:

wget https://gitlab.com/api/v4/projects/74667529/packages/generic/debian-libre-live/main/live-image-amd64.hybrid.iso
wget https://gitlab.com/api/v4/projects/74667529/packages/generic/debian-libre-live/main/live-image-amd64.hybrid.iso.SHA256SUMS
sha256sum -c live-image-amd64.hybrid.iso.SHA256SUMS

Run in a virtual machine:

kvm -cdrom live-image-amd64.hybrid.iso -m 8G

Burn to an USB drive for installation on real hardware:

sudo dd if=live-images-amd64.hybrid.iso of=/dev/sdX # use sdX for USB drive

Images are built using live-build from the Debian Live Team. Inspiration has been taken from Reproducible Live Images and Kali Live.

The images are built by GitLab CI/CD shared runners. The pipeline .gitlab-ci.yml container job creates a container with live-build installed, defined in container/Containerfile. The build job then invokes run.sh that includes a run to lb build, and then upload the image to the package registry.

This is a first initial public release, calibrate your expectations! The primary audience are people already familiar with Debian. There are known issues. I have performed successful installations on a couple of different machines including laptops like Lenovo X201, Framework AMD Laptop 13″ etc.

Are you able to install Debian without any non-free software on some hardware using these images?

Happy Hacking!

GNUnet 0.26.0 released

We are pleased to announce the release of GNUnet 0.26.0.
GNUnet is an alternative network stack for building secure, decentralized and privacy-preserving distributed applications. Our goal is to replace the old insecure Internet protocol stack. Starting from an application for secure publication of files, it has grown to include all kinds of basic protocol components and applications towards the creation of a GNU internet.

This is a new major release. Major versions may break protocol compatibility with the 0.25.X versions. Please be aware that Git master is thus henceforth (and has been for a while) INCOMPATIBLE with the 0.25.X GNUnet network, and interactions between old and new peers will result in issues. In terms of usability, users should be aware that there are still a number of known open issues in particular with respect to ease of use, but also some critical privacy issues especially for mobile users. Also, the nascent network is tiny and thus unlikely to provide good anonymity or extensive amounts of interesting information. As a result, the 0.26.0 release is still only suitable for early adopters with some reasonable pain tolerance .

If it were not for compatibility-breaking changes in the crypto API of libgnunetutil this would only be a maintenance release. The changes hopefully protect users of the library from misuse of GNUnet's cryptographic key objects in ways that may be detrimental to security. Since this change breaks backwards compatibility, this is a new major release.

Download links

• gnunet-0.26.0.tar.gz ( signature )
• gnunet-fuse-0.26.0.tar.gz ( signature )

The GPG key used to sign is: 3D11063C10F98D14BD24D1470B0998EF86F59B6A

Note that due to mirror synchronization, not all links might be functional early after the release. For direct access try http://ftp.gnu.org/gnu/gnunet/

Changes

A detailed list of changes can be found in the git log , the NEWS .

Known Issues

• There are known major issues with the TRANSPORT subsystem.
• There may be some regressions in the new CORE subsystem.
• There are known moderate implementation limitations in CADET that negatively impact performance.
• There are known moderate design issues in FS that also impact usability and performance.
• There are minor implementation limitations in SET that create unnecessary attack surface for availability.
• The RPS subsystem remains experimental.

In addition to this list, you may also want to consult our bug tracker at bugs.gnunet.org which lists about 190 more specific issues.

Thanks

This release was the work of many people. The following people contributed code and were thus easily identified: Christian Grothoff, Florian Dold, TheJackiMonster, ch3, and Martin Schanzenbach.

unrtf 0.21.11 is released, fixing recently submitted security issues and a number of older bugs. Until the tar file can be uploaded to the proper location on ftp.gnu,org, you can find it on the project home page

This is to announce coreutils-9.9, a stable release.
This is primarily a stabilization release,
details of which are summarized in the NEWS below.

There have been 106 commits by 10 people in the 7 weeks since 9.8.
Thanks to everyone who has contributed!
The following people contributed changes to this release:

  Bernhard Voelker (4)    Mathieu Bordere (1)
  Bruno Haible (4)        Nicolas Boichat (1)
  Collin Funk (28)        Paul Eggert (9)
  Grisha Levit (1)        Pádraig Brady (57)
  Hannes Braun (1)        Sylvestre Ledru (1)

Pádraig [on behalf of the coreutils maintainers]
==================================================================

Here is the GNU coreutils home page:
    https://gnu.org/s/coreutils/

Here are the compressed sources:
  https://ftp.gnu.org/gnu/coreutils/coreutils-9.9.tar.gz   (15MB)
  https://ftp.gnu.org/gnu/coreutils/coreutils-9.9.tar.xz   (6.1MB)

Here are the GPG detached signatures:
  https://ftp.gnu.org/gnu/coreutils/coreutils-9.9.tar.gz.sig
  https://ftp.gnu.org/gnu/coreutils/coreutils-9.9.tar.xz.sig

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA1 and SHA256 checksums:

  File: coreutils-9.9.tar.gz
  SHA1 sum:   c66ec935ab7e0ef32c40153fcf67dcf67579171a
  SHA256 sum: 91a719fcf923de686016f2c8d084a8be1f793f34173861273c4668f7c65af94a

  File: coreutils-9.9.tar.xz
  SHA1 sum:   456b5c69f3ce8fbdbe926a11652673ecf12bfc44
  SHA256 sum: 19bcb6ca867183c57d77155eae946c5eced88183143b45ca51ad7d26c628ca75

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify coreutils-9.9.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   rsa4096/0xDF6FD971306037D9 2011-09-23 [SC]
        Key fingerprint = 6C37 DC12 121A 5006 BC1D  B804 DF6F D971 3060 37D9
  uid                   [ultimate] Pádraig Brady <P@draigBrady.com>
  uid                   [ultimate] Pádraig Brady <pixelbeat@gnu.org>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key P@draigBrady.com

  gpg --recv-keys DF6FD971306037D9

  wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=coreutils&download=1' | gpg --import -

As a last resort to find the key, you can try the official GNU
keyring:

  wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
  gpg --keyring gnu-keyring.gpg --verify coreutils-9.9.tar.gz.sig

This release is based on the coreutils git repository, available as

  git clone https://https.git.savannah.gnu.org/git/coreutils.git

with commit 0ae5bdc7a8311efd3efe43363050710d6ea1c367 tagged as v9.9.

For a summary of changes and contributors, see:

  https://gitweb.git.savannah.gnu.org/gitweb/?p=coreutils.git;a=shortlog;h=v9.9

or run this command from a git-cloned coreutils directory:

  git shortlog v9.8..v9.9

This release was bootstrapped with the following tools:
  Autoconf 2.72.97-cf8b9
  Automake 1.18.1
  Gnulib 2025-11-06 862a81c0e15448adde6a6e7473ec47e3a4bd91a6
  Bison 3.8.2

NEWS

* Noteworthy changes in release 9.9 (2025-11-10) [stable]

** Bug fixes

  `basenc --base58` would not operate correctly with input > 15561475 bytes.
  [bug introduced with --base58 in coreutils-9.8]

  'cksum --check' now supports base64 encoded input in untagged format:
    - for all length adjustable algorithms (blake2b, sha2, sha3),
    - if that base64 input starts with a tag like "SHA1" etc.
  Previously an error was given, about invalid input format.
  [bug introduced in coreutils-9.2]

  'cksum --check -a sha2' has better support for tagged format.  Previously
  an unneeded but explicit '-a sha2' did not match standard tags like SHA256.
  Also non standard SHA2 tags with a bad length resulted in undefined behavior.
  [bug introduced in coreutils-9.8]

  'cp' restores performance with transparently compressed files, which
  regressed due to the avoidance of copy offload, seen with OpenZFS at least.
  [bug introduced in coreutils-9.8]

  `env` on macOS, for now only when built with --disable-nls,
  will no longer always set a __CF_USER_TEXT_ENCODING environment variable.
  [bug introduced in coreutils-9.8]

  'nice' now limits the adjusted niceness value to its supported range on
  GNU/Hurd.
  [This bug was present in "the beginning".]

  'numfmt' no longer reads out-of-bounds memory with trailing blanks in input.
  [bug introduced with numfmt in coreutils-8.21]

  'numfmt' no longer outputs invalid characters with multi-byte blanks in input.
  [bug introduced in coreutils-9.5]

  'rm -d DIR' no longer fails on Ceph snapshot directories.
  Although these directories are nonempty, 'rmdir DIR' succeeds on them.
  [bug introduced in coreutils-8.16]

  'sort --compress-program' now diagnoses if it can't write more data to an
  exited compressor.  Previously sort could have exited silently in this case.
  [bug introduced in coreutils-6.8]

  'tail' outputs the correct number of lines again for non-small -n values.
  Previously it may have output too few lines.
  [bug introduced in coreutils-9.8]

  'unexpand' no longer triggers a heap buffer overflow with --tabs arguments
  that use the GNU extension /NUM or +NUM formats.
  [bug introduced in coreutils-8.28]

** Changes in behavior

  'cp' with default options may again, like with versions before v9.8,
  miss opportunities to create holes with file systems that support
  SEEK_HOLE only trivially.  This change is a consequence of the
  abovementioned copy offload fix.

  'sort --compress-program' will continue without compressing temporary files
  if the specified program cannot be executed.  Also malformed shell scripts
  without a "shebang line" will no longer be executed.

** New Features

  'numfmt' now accepts the --unit-separator=SEP option, to output or accept
  a separator between the number and unit.  For e.g. "1234 M".

** Improvements

  'fmt', 'date', 'nl', and 'pr' will now exit promptly upon receiving a write
  error, which is significant when reading large / unbounded inputs.

  install, sort, and split now use posix_spawn() to invoke child programs more
  efficiently and more independently from their own memory usage.

  'numfmt':
   - parses numbers with a non-breaking space character before a unit
   - parses numbers containing grouping characters from the current locale
   - supports a multi-byte --delimiter character
   - no longer processes input indefinitely in the presence of write errors

  wc -l now operates 10% faster on hosts that support AVX512 instructions.

** Build-related

  chcon and runcon are not built by default if selinux headers are not present,
  or if the --without-selinux configure option is specified.
  This can be overridden with the --with-selinux configure option.

  nproc no longer fails to build with Android API level <= 20.
  [build issue introduced in coreutils-9.8]

We are happy to announce the release of GNU Taler v1.1.

Join the FSF and friends on Friday, November 14 from 12:00 to 15:00 EST (17:00 to 20:00 UTC) to help improve the Free Software Directory.

\x1B[38;5;105m and \x1B[38;5;141m are a great combo.

BOSTON, Massachusetts, USA (Thursday, November 6, 2025) — The Free Software Foundation (FSF) today announced the winning photo submissions in the FSF40 Photo Contest held in August.

Nine new GNU releases in the last month (as of October 31, 2025):

1 November 2025 Unifont 17.0.03 is now available.
This is a minor release aligned with Unicode 17.0.0.

This release updates and adds over 100 Chinese ideographs.


Download this release from GNU server mirrors at:

     https://ftpmirror ... /unifont-17.0.03/

or if that fails,

     https://ftp.gnu.o ... /unifont-17.0.03/

or, as a last resort,

     ftp://ftp.gnu.org ... /unifont-17.0.03/

These files are also available on the unifoundry.com website:

     https://unifoundr ... /unifont-17.0.03/

Font files are in the subdirectory

     https://unifoundr ... 0.03/font-builds/

A more detailed description of font changes is available at

      https://unifoundr ... nifont/index.html

and of utility program changes at

      https://unifoundr ... nt-utilities.html


Enjoy!


Paul Hardy
GNU Unifont Maintainer

From Arch:

The dovecot 2.4 release branch has made breaking changes which result in it being incompatible with any <= 2.3 configuration file.

Thus, the dovecot service will no longer be able to start until the configuration file was migrated, requiring manual intervention.

For guidance on the 2.3-to-2.4 migration, please refer to the following upstream documentation: Upgrading Dovecot CE from 2.3 to 2.4

Furthermore, the dovecot 2.4 branch no longer supports their replication feature, it was removed. For users relying on the replication feature or who are unable to perform the 2.4 migration right now, we provide alternative packages available in [extra]:

• dovecot23
• pigeonhole23
• dovecot23-fts-elastic
• dovecot23-fts-xapian

The dovecot 2.3 release branch is going to receive critical security fixes from upstream until stated otherwise.

Hello and welcome to my October free software activities report.

GNU & FSF

• GNU Spotlight: I prepared and sent the October GNU Spotlight to the FSF campaigns team, who will review and publish it on the FSF’s community blog and as part of the next issue of the monthly Free Software Supporter newsletter.

• GNU Emacs:

  • bug#79629: I noticed that I was unable to customize the holiday-other-holidays variable using the setopt macro: my change did not seem to take effect. As Eli Zaretskii helpfully pointed out, this was because customizing holiday-other-holidays did not recompute the value of calendar-holidays, which is computed once, when the package is loaded.

    So I prepared and sent a patch 500a2d0cc55 to recompute calendar-holidays when its components are set.

  • bbabc1db258: While reading about custom-reevaluate-setting in the Startup Summary node of the GNU Emacs Lisp reference manual I noticed a small typo, so I committed a patch to fix it.

Misc

• The Free Software Foundation celebrated its fortieth birthday on 4 October 2025 online and in person in Boston! I was not able to attend the event in person, so I recorded a video for the FSF40 volunteer panel held at the venue.

• This month at work one of our Elasticsearch clusters experienced partial failure, and we needed to extract document IDs from a backup of one of the cluster’s shards. Elasticsearch uses Lucene under the hood and each shard is a standalone Lucene index, so I used Lucene’s Java API to write a little GetIDS class to query the index for all of its documents, and for each document print its _id field, decoding the binary-valued BytesRef as needed. The gotcha was that all of the BytesRefs seemed to have a -1 byte in the beginning, throwing off the recommended BytesRef.utf8ToString() method, so I had to reimplement that method’s logic in my program and have it use an adjusted offset + 1 and length - 1 instead.

That’s about it for this month’s report.

Take care, and so long for now.

GNU Parallel 20251022 ('Goodall') has been released. It is available for download at: lbry://@GnuParallel:4

Quote of the month:

  idk who built GNU parallel but I owe them a beer
    -- ram @h4x0r1ng

New in this release:

• No new features.
• Bug fixes.

GNU Parallel - For people who live life in the parallel lane.

If you like GNU Parallel record a video testimonial: Say who you are, what you use GNU Parallel for, how it helps you, and what you like most about it. Include a command that uses GNU Parallel if you feel like it.

About GNU Parallel

GNU Parallel is a shell tool for executing jobs in parallel using one or more computers. A job can be a single command or a small script that has to be run for each of the lines in the input. The typical input is a list of files, a list of hosts, a list of users, a list of URLs, or a list of tables. A job can also be a command that reads from a pipe. GNU Parallel can then split the input and pipe it into commands in parallel.

If you use xargs and tee today you will find GNU Parallel very easy to use as GNU Parallel is written to have the same options as xargs. If you write loops in shell, you will find GNU Parallel may be able to replace most of the loops and make them run faster by running several jobs in parallel. GNU Parallel can even replace nested loops.

GNU Parallel makes sure output from the commands is the same output as you would get had you run the commands sequentially. This makes it possible to use output from GNU Parallel as input for other programs.

For example you can run this to convert all jpeg files into png and gif files and have a progress bar:

  parallel --bar convert {1} {1.}.{2} ::: *.jpg ::: png gif

Or you can generate big, medium, and small thumbnails of all jpeg files in sub dirs:

  find . -name '*.jpg' |
    parallel convert -geometry {2} {1} {1//}/thumb{2}_{1/} :::: - ::: 50 100 200

You can find more about GNU Parallel at: http://www.gnu ... rg/s/parallel/

You can install GNU Parallel in just 10 seconds with:

    $ (wget -O - pi.dk/3 || lynx -source pi.dk/3 || curl pi.dk/3/ || \
       fetch -o - http://pi.dk/3 ) > install.sh
    $ sha1sum install.sh | grep c555f616391c6f7c28bf938044f4ec50
    12345678 c555f616 391c6f7c 28bf9380 44f4ec50
    $ md5sum install.sh | grep 707275363428aa9e9a136b9a7296dfe4
    70727536 3428aa9e 9a136b9a 7296dfe4
    $ sha512sum install.sh | grep b24bfe249695e0236f6bc7de85828fe1f08f4259
    83320d89 f56698ec 77454856 895edc3e aa16feab 2757966e 5092ef2d 661b8b45
    b24bfe24 9695e023 6f6bc7de 85828fe1 f08f4259 6ce5480a 5e1571b2 8b722f21
    $ bash install.sh

Watch the intro video on http://www.youtub ... L284C9FF2488BC6D1

Walk through the tutorial (man parallel_tutorial). Your command line will love you for it.

When using programs that use GNU Parallel to process data for publication please cite:

O. Tange (2018): GNU Parallel 2018, March 2018, https://doi.org/1 ... 81/zenodo.1146014.

If you like GNU Parallel:

• Give a demo at your local user group/team/colleagues
• Post the intro videos on Reddit/Diaspora*/forums/blogs/ Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists
• Get the merchandise https://gnuparall ... igns/gnu-parallel
• Request or write a review for your favourite blog or magazine
• Request or build a package for your favourite distribution (if it is not already there)
• Invite me for your next conference

If you use programs that use GNU Parallel for research:

• Please cite GNU Parallel in you publications (use --citation)

If GNU Parallel saves you money:

• (Have your company) donate to FSF https://my.f ... .org/donate/

About GNU SQL

GNU sql aims to give a simple, unified interface for accessing databases through all the different databases' command line clients. So far the focus has been on giving a common way to specify login information (protocol, username, password, hostname, and port number), size (database and table size), and running queries.

The database is addressed using a DBURL. If commands are left out you will get that database's interactive shell.

When using GNU SQL for a publication please cite:

O. Tange (2011): GNU SQL - A Command Line Tool for Accessing Different Databases Using DBURLs, ;login: The USENIX Magazine, April 2011:29-32.

About GNU Niceload

GNU niceload slows down a program when the computer load average (or other system activity) is above a certain limit. When the limit is reached the program will be suspended for some time. If the limit is a soft limit the program will be allowed to run for short amounts of time before being suspended again. If the limit is a hard limit the program will only be allowed to run when the system is below the limit.

The GNU C Library
=================

The GNU C Library version 2.42 is now available.

The GNU C Library is used as the C library in the GNU system and
in GNU/Linux systems, as well as many other systems that use Linux
as the kernel.

The GNU C Library is primarily designed to be a portable
and high performance C library.  It follows all relevant
standards including ISO C23 and POSIX.1-2024.  It is also
internationalized and has one of the most complete
internationalization interfaces known.

The GNU C Library website is at http://www.gnu. ... /software/libc/

Packages for the 2.42 release may be downloaded from:
        http://ftpmirr ... .gnu.org/libc/
        http://ftp.gn ... org/gnu/libc/

The mirror list is at http://www.gnu. ... /order/ftp.html

Distributions are encouraged to track the release/* branches
corresponding to the releases they are using.  The release
branches will be updated with conservative bug fixes and new
features while retaining backwards compatibility.

NEWS for version 2.42
=====================

Major new features:

• The following ISO C23 function families (introduced in TS

  18661-4:2015) are now supported in <math.h>.  Each family includes
  functions for float, double, long double, _FloatN and _FloatNx, and a
  type-generic macro in <tgmath.h>.

  - Power and absolute-value functions: compoundn, pown, powr, rootn,
    rsqrt.

• On Linux, the pthread_gettid_np function has been added.

• The ISO C2Y family of unsigned abs functions, i.e. uabs, ulabs,

  ullabs, and uimaxabs, is now supported.

• On Linux, the <termios.h> interface now supports arbitrary baud rates;

  speed_t is redefined to simply be the baud rate specified as an
  unsigned int, which matches the kernel interface.

• The thread-local cache in malloc (tcache) now supports caching of

  large blocks.  This feature can be enabled by setting the tunable
  glibc.malloc.tcache_max to a larger value (max 4194304). Tcache is
  also significantly faster for small sizes.

• A new configure option, "--enable-sframe", can be used to enable

  SFrame support of the GNU C Libraries.  SFrame is a new stack trace
  information format which can be used by backtrace.  It requires
  binutils with a minimum version of 2.45.

• Support for lightweight stack guard pages via madvise and the

  MADV_GUARD_INSTALL flag has been added to pthread_create.

• Additional optimized and correctly rounded mathematical functions have

  been imported from the CORE-MATH project, in particular acospif,
  asinpif, atanpif, atan2pif, cospif, sinpif, tanpif.

• The testsuite has been significantly extended, including coverage of

  the functionality of the printf and scanf function families in many
  variants.

• The manual has been significantly extended and updated, particularly

  the threads, terminal, filesystem, resource, and math chapters.

• Code has been added to detect the x86-64 Intel Arrow Lake, Panther

  Lake, Clearwater Forest, and Diamond Rapids microarchitectures.

• Regarding S390, support for the new z17 platform has been added.

Deprecated and removed features, and other changes affecting compatibility:

• The glibc.rtld.execstack tunable now supports a compatibility mode to

  allow programs that require an executable stack through dynamically
  loaded shared libraries.

• On Linux, the <termio.h> header and the definition of struct termio

  in <sys/ioctl.h> have been removed. The termio interface has been
  obsolete since the very first version of POSIX.1 in 1988, replaced
  with <termios.h>.

• The support for TX lock elision of pthread mutexes has been deprecated

  on all architectures and will be removed in the next release.

• On AArch64 Linux targets supporting the Scalable Matrix Extension

  (SME), setjmp and sigsetjmp will disable the ZA state of SME.

Changes to build and runtime requirements:

• GCC 12.1 or later is now required to build the GNU C Library.

• GNU Binutils 2.39 or later is now required to build the GNU C Library.

Security related changes:

The following CVEs were fixed in this release, details of which can be
found in the advisories directory of the release tarball:

  GLIBC-SA-2025-0001:
    assert: Buffer overflow when printing assertion failure message
    (CVE-2025-0395)

  GLIBC-SA-2025-0003:
    power10: strcmp fails to save and restore nonvolatile vector
    registers (CVE-2025-5702)

  GLIBC-SA-2025-0004:
    power10: strncmp fails to save and restore nonvolatile vector
    registers (CVE-2025-5745)

  GLIBC-SA-2025-0005:
    posix: Fix double-free after allocation failure in regcomp
    (CVE-2025-8058)

The following bugs were resolved with this release:

  [5994] stdio: fflush after ungetc on seekable input stream
  [12724] stdio: fclose violates POSIX 2008 on seekable input streams
  [25263] dynamic-link: ldd and ld.so fail to resolve $ORIGIN with cross
    dir symlink
  [27880] nptl: Please provide a pthread pid accessor
  [29190] dynamic-link: Symbols with version hash zero lead to crashes,
    not matched correctly
  [29459] stdio: fwrite does not return EPIPE when underlying write
    fails with EPIPE.
  [31791] nss: [Regression] nss: memory for >8 elements in nsswitch.conf
    is not freed
  [32058] libc: qsort leaks memory if C++ exception is thrown from
    comparison function
  [32269] dynamic-link: RISC-V IFUNC resolver cannot access gp pointer
  [32369] stdio: fflush(NULL) doesn't properly flush files opened in
    read mode
  [32411] math: THREEp96 seems wrong
  [32412] dynamic-link: Initial DTV is reallocated using main realloc in
    auditing mode
  [32483] locale: ctype.h macros segfault in multithreaded programs with
    multiple libc.so
  [32529] stdio: fseek failure on file opened with "rm" mode after
    ungetc
  [32535] stdio: fflush failure on file opened with "rm" mode after
    ungetc
  [32541] libc: getenv cannot be overridden in static builds
  [32574] libc: pthread_attr_getstacksize/pthread_attr_getstack return
    incorrect main stack size
  [32612] dynamic-link: [aarch64 PAC] _dl_tlsdesc_dynamic can't be
    unwound through with _Unwind_Backtrace
  [32626] math: math: log10p1f is not correctly rounded
  [32627] math: math: sinhf is not correctly rounded
  [32630] math: math: tanf is not correctly rounded for all rounding
    modes
  [32653] dynamic-link: Review options for improving both security and
    backwards compatibility of glibc 2.41 dlopen / execstack handling
  [32694] math: wrong clang version 3.4 prereq checks in bits/floatn.h
    for __float128 support, should be 3.9
  [32708] libc: Inclusion of sys/mount.h triggers many gcc warnings
    using -Wshift-overflow=2 -Wsystem-headers
  [32711] math: math: remainder incorrect sign of zero result
  [32717] libc: glibc tests fail when bfd is built with --enable-error-
    execstack=yes
  [32723] math: [2.41 Regression] /usr/include/bits/floatn.h doesn't
    work with Intel SYCL compiler
  [32763] dynamic-link: Static PIE with more than one PT_LOAD segments
    at offset 0 segfault
  [32777] crypt: The performance of the rand() function degradation
  [32781] libc: Inccorect attribute access for sched_getattr
  [32782] nptl: Race conditions in pthread cancellation causing crash
  [32786] nptl: pthread_cond_* symbols should probably have had a
    version bump in 2.41
  [32795] nptl: aio_suspend_time64 confuses CLOCK_MONOTONIC and
    CLOCK_REALTIME
  [32810] dynamic-link: Immediate crash on x86-64 when running with
    GLIBC_TUNABLES=glibc.cpu.hwcaps=-XSAVEC
  [32823] libc: make[2]: * [../Rules:248:
    /home/dave/gnu/glibc/objdir/elf/tst-origin] Error 1
  [32897] dynamic-link: pthread_getattr_np fails when executable stack
    tunable is set
  [32918] math: math: atanhf triggers UB
  [32919] math: math: coshf triggers UB
  [32920] math: math: logf triggers UB
  [32921] math: math: sinhf triggers UB
  [32922] math: math: cbrtf triggers UB
  [32923] math: math: cospif triggers UB
  [32924] math: math: erfcf triggers UB
  [32925] math: math: sinpif triggers UB
  [32932] libc: riscv: __riscv_hwprobe function attributes are incorrect
  [32947] libc: stdlib: wrong iovec array size on __libc_message_impl
  [32980] manual: getopt_long_only does not check long options first, as
    the manual claims
  [32981] ports: elf/tst-execstack-prog-static-tunable fails on
    sparc64-linux-gnu
  [32987] libc: New tst-dlopen-sgid test FAILs
  [32996] malloc: i386 TLS helper functions don't preserve XMM registers
  [33035] libc: [2.27 regression] Linux: __close_nocancel_nostatus
    clobbers errno
  [33056] string: Power 10 strcmp clobbers nonvolatile vector registers
    (CVE-2025-5702)
  [33059] string: Power 10 memchr clobbers v20
  [33060] string: Power 10 strncmp clobbers nonvolatile vector registers
    (CVE-2025-5745)
  [33088] dynamic-link: __ehdr_start may need run-time relocation
  [33089] build: [2.42 Regression] GCC 14.2.1 failed to build glibc
  [33134] libc: mcount_internal shouldn't use vector/r16-r31 registers
    nor call memcpy/memset
  [33139] stdio: %n after static dlopen is unreliable if file
    descriptors are exhausted
  [33165] build: [2.42 Regression] FAIL: elf/check-localplt
  [33173] math: Wrong IFUNC selector is used for modf/modff
  [33185] regex: Double-free after memory allocation failure in regcomp
    bracket expression parsing (CVE-2025-8058)
  [33224] dynamic-link: _dl_debug_state hook no longer works (since
    8329939a37f483a16013dd8af8303cbcb86d92cb)

Release Notes
=============

https://sourcewar ... wiki/Release/2.42

Contributors
============

This release was made possible by the contributions of many people.
The maintainers are grateful to everyone who has contributed
changes or bug reports.  These include:

Aaron Merey
Adhemerval Zanella
Andreas K. Hüttel
Andreas Schwab
Andrew Pinski
Arjun Shankar
Aurelien Jarno
Ben Kallus
Carlos O'Donell
Claudiu Zissulescu
Colin Ian King
Collin Funk
Cupertino Miranda
Cœur
DJ Delorie
David Lau
Dylan Fleming
Flavio Cruz
Florian Weimer
Frédéric Bérat
H. Peter Anvin
H.J. Lu
Jakub Jelinek
Jeremy Harris
Jitka Obselkova
John David Anglin
Jonathan Wakely
Joseph Myers
Julian Zhu
Lenard Mollenkopf
Luca Dariz
Luna Lamb
Maciej W. Rozycki
Mark Harris
Mark Wielaard
Martin Coufal
Matteo Croce
Michael Jeanson
Paul Zimmermann
Petr Malat
Pierre Blanchard
Radko Krkos
Ravina Jain
Ronan Pigott
Sachin Monga
Sam James
Samuel Thibault
Samuel Zeter
Sergei Zimmerman
Sergey Bugaev
Sergey Kolosov
Siddhesh Poyarekar
Stefan Liebler
Sunil K Pandey
Tobias Stoeckmann
Tomas Volf
Tulio Magno Quites Machado Filho
Wilco Dijkstra
William Hunt
Xi Ruoyao
YLK
Yangyu Chen
Yat Long Poon
Yury Khrustalev
Zhaoming Luo
gfleury
koraynilay
panzhe0328
zhenwei pi
наб

We would like to call out the following and thank them for their
tireless patch review:

Adhemerval Zanella
Andreas K. Hüttel
Andreas Schwab
Arjun Shankar
Carlos O'Donell
Collin Funk
Cupertino Miranda
DJ Delorie
Florian Weimer
Frédéric Bérat
Geoffrey Thomas
guoce
H.J. Lu
Joseph Myers
Maciej W. Rozycki
Mark Harris
Matthieu Longo
Palmer Dabbelt
Paul Eggert
Peter Bergner
Sachin Monga
Sam James
Samuel Thibault
Stefan Liebler
Sunil K Pandey
Tulio Magno Quites Machado Filho
Wilco Dijkstra
Yury Khrustalev

Check out the important work our volunteers accomplished at Friday's Free Software Directory (FSD) IRC meeting.

Dear community

I am happy to announce the release of the GNU Health Hospital Information System 5.0 series image for Raspberry Pi OS (version 6.0).

This image is the latest of our "GNU Health in a Box" project, which provides a is a full Hospital and Laboratory Information System server in Single Board Computers (like the Raspi or Olimex LIME2).

The latest image provides a ready-to-run server with:

    * Raspberry Pi OS Desktop
    * Debian 13 “trixie”
    * GNU Health server HIS 5.0 series server and client
    * PostgreSQL 17 database server
    * Python 3.13

For more information about the "GNU Health in a box" project, you can visit https://www.gnuhe ... org/embedded.html

For the download and installation instructions, go to our official documentation page:
https://docs.gnuh ... ion/embedded.html

Happy hacking!

Check out the important work our volunteers accomplished at last weeks's Free Software Directory (FSD) IRC meeting.

GNUnet 0.25.2

This is a bugfix release for gnunet 0.25.1. It fixes some regressions and minor bugs.

Links

• Source: https://ftpmirror.gnu.org/gnunet/gnunet-0.25.2.tar.gz ( https://ftpmirror.gnu.org/gnunet/gnunet-0.25.2.tar.gz.sig )
• Detailed list of changes: https://git.gnunet.org/gnunet.git/log/?h=v0.25.2
• NEWS: https://git.gnunet.org/gnunet.git/tree/NEWS?h=v0.25.2

The GPG key used to sign is: 3D11063C10F98D14BD24D1470B0998EF86F59B6A

Note that due to mirror synchronization, not all links may be functional early after the release. For direct access try https://ftp.gnu.org/gnu/gnunet/

18 October 2025 Unifont 17.0.02 is now available.  This is a minor release aligned with Unicode 17.0.0.

- This release includes several glyph updates and many new Chinese ideographs; see the ChangeLog file for details.

- src/Makefile now uses CPPFLAGS and LDFLAGS definitions for C program compilation.

Download this release from GNU server mirrors at:

     https://ftpmirror ... /unifont-17.0.02/

or if that fails,

     https://ftp.gnu.o ... /unifont-17.0.02/

or, as a last resort,

     ftp://ftp.gnu.org ... /unifont-17.0.02/

These files are also available on the unifoundry.com website:

     https://unifoundr ... /unifont-17.0.02/

Font files are in the subdirectory

     https://unifoundr ... 0.02/font-builds/

A more detailed description of font changes is available at

      https://unifoundr ... nifont/index.html

and of utility program changes at

      https://unifoundr ... nt-utilities.html

Information about Hangul modifications is at

      https://unifoundr ... hangul/index.html

and

      http://unifoundry ... l-generation.html

Enjoy!


Paul Hardy
GNU Unifont Maintainer

BOSTON, Massachusetts, USA (Tuesday, October 14, 2025) — The Free Software Foundation (FSF) today announced its project to bring mobile phone freedom to users. "Librephone" is an initiative to reverse-engineer obstacles preventing mobile phone freedom until its goal is achieved.

by Mikolai Gütschow

Today I submitted the version 2 of the patch series for the Algol 68 GCC Front-End:

https://gcc.gnu.org/pipermail/gcc-patches/2025-October/697255.html

This is the deal:

  Jose E. Marchesi (47):
   a68: top-level misc files
   a68: build system
   a68: build system (regenerated files)
   a68: documentation
   a68: command-line options
   a68: DWARF language codes
   a68: darwin specific support
   a68: powerpc specific support
   a68: gcc/algol68 misc files
   a68: ga68 compiler driver
   a68: a681 compiler proper
   a68: unicode support routines
   a68: front-end diagnostics
   a68: parser: entry point
   a68: parser: AST nodes attributes/types
   a68: parser: scanner
   a68: parser: keyword tables management
   a68: parser: top-down parser
   a68: parser: parenthesis checker
   a68: parser: bottom-up parser
   a68: parser: syntax check for declarers
   a68: parser: standard prelude definitions
   a68: parser: parsing of modes
   a68: parser: symbol table management
   a68: parser: static scope checker
   a68: parser: debug facilities
   a68: parser: extraction of tags from phrases
   a68: parser: dynamic stack usage in serial clauses
   a68: low: lowering entry point and misc handlers
   a68: low: plain values
   a68: low: stowed values
   a68: low: standard prelude
   a68: low: clauses and declarations
   a68: low: runtime
   a68: low: builtins
   a68: low: ranges
   a68: low: units and coercions
   a68: low: modes
   a68: libga68: sources, spec and misc files
   a68: libga68: build system
   a68: libga68: build system (generated files)
   a68: testsuite: infrastructure
   a68: testsuite: execution tests 1/2
   a68: testsuite: execution tests 2/2
   a68: testsuite: compilation tests
   a68: testsuite: revised MC Algol 68 test set
   a68: testsuite: mcgt tests
      

The Free Software Foundation celebrated its fortieth birthday today online and in person in Boston. Forty years of commitment to software freedom and fighting for the freedoms of all computer users.

As part of the FSF40 celebration, the FSF held a roundtable panel with FSF volunteers both in-person and online. I was not able to attend the event in person, so I prepared a video recording for the volunteer roundtable that was played at the venue. In the video I talk about my free software journey and how I first got involved, some of the issues facing the world of free software today, and how you can get involved and contribute to free software projects and help the free software movement.

Happy 40th birthday, FSF, and here’s to 40+ more years of software freedom. Happy hacking!

The video recording is Copyright © 2025 Amin Bandali, and is licensed under CC BY-SA 4.0.

Today we're launching a fundraising campaign to sustain and strengthen GNU Guix. Guix is completely independent from any company or institution, we rely on the support of our community to fund the project. If you can, please help sustain Guix by making a donation.

Why we need your support

Like many Free Software projects we need financial support because running a project is expensive. We incur costs for development infrastructure, facilitating developer collaboration and supporting the community around the project.

As a package manager and GNU/Linux distribution Guix has some unique needs. As the distribution grows and becomes more popular our costs also grow. Each package that's added to the distribution increases the number of builds. And, as more people use Guix the cost of delivering those packages also grows.

Sustain Guix

To be sustainable we need to match our expenses with our incoming donations. This gives the project certainty that there won't be a sudden funding shortfall.

Currently, shortfalls happen. Even recently individual volunteers have had to step in and fund services from their own pockets. That's risky and unsustainable, so we're aiming for stable financial foundations.

To achieve that goal we need €15,000 (roughly $17,500) of donations a year. This would pay for the current infrastructure and project expenses.

To be sustainable recurring donations are critical because they provide a regular stream of income that can pay for the ongoing shared resources that we all use. For example, to have a better build farm we'd need more hosting and bandwidth which is a recurring cost.

So is the goal achievable? Well, it's definitely a big goal. But, it's only €1,250 a month - so if 125 people contribute €10 a month that would get us to the target and make all the difference!

Strengthen Guix

We would love to do more, and if there's support from the community then we will. There's lots more we could do! If there's more funding then we'll be able strengthen Guix by expanding the infrastructure, investing more to support the project and promote Guix.

With more support we'd be able to do things like:

• Improve the overall resilience of our infrastructure so that services are more reliable.
• Do more to increase the substitute infrastructure's bandwith and distribution.
• Tell more people about Guix by attending events, organising user sprints and conferences.

Donate Now to Sustain Guix

Now's the time where we ask for your help. Please donate to sustain and strengthen Guix.

You can donate through either the FSF or the Guix Foundation using a variety of payment methods.

If you haven't heard of the Guix Foundation it's an EU-based non-profit that's dedicated to supporting the development and promotion of GNU Guix. It's a members-driven association, so by becoming a member you'll be supporting Guix and will have a voice in it's activities.

Every donations helps, Recurring donations are ideal, but we appreciate any support you can give. Every donation gets us a step closer to being sustainable.

Thank you for your support!

BOSTON, Massachusetts, USA (Thursday, October 2, 2025) — The Free Software Foundation (FSF) announced today that Ian Kelling, senior systems administrator for the organization and the first union member to hold a seat on its board, has been elected as the new president of the FSF.

Summer has been winding down here in southern Ontario and beautiful fall colours have been slowly appearing around us, and with that, it’s time for my September free software activities report — albeit a very short one, as it turned out to be a busy month and I had few free software contributions.

GNU & FSF

• GNU Spotlight: I prepared and sent the September GNU Spotlight to the FSF campaigns team, who will review and publish it on the FSF’s community blog and as part of the next issue of the monthly Free Software Supporter newsletter.

Debian

• recutils: Last month, I adopted the recutils package in Debian, and uploaded version 1.9-4 to unstable to fix FTBFS bug #1066370. Today, I uploaded 1.9-4~bpo13+1 to trixie-backports to provide an easy way for users of Debian 13 (Trixie) to install recutils. The upload is currently in the backports NEW queue pending review by the backports team, and will appear in the archive if approved.

Misc

• I had a lovely chat with Prot earlier this month for his ‘Prot Asks’ series, where we talked about free software, free knowledge, the importance of community and the commons, and life in Canada.

That’s about it for this month’s report. I hope to have more to share next month.

Take care, and so long for now.

Download from https://ftp.gnu.o ... string-1.4.tar.gz

This is a stable release.

New in this release:

• The data tables and algorithms have been updated to Unicode version 17.0.0.
• Fixed a bug: The functions u*_grapheme_next and u*_grapheme_prev did not work right for strings with Indic characters, Emojis, or regional indicators.

GNUnet 0.25.1

This is a bugfix release for gnunet 0.25.0. It fixes some regressions and minor bugs.

Links

• Source: https://ftpmirror.gnu.org/gnunet/gnunet-0.25.1.tar.gz ( https://ftpmirror.gnu.org/gnunet/gnunet-0.25.1.tar.gz.sig )
• Detailed list of changes: https://git.gnunet.org/gnunet.git/log/?h=v0.25.1
• NEWS: https://git.gnunet.org/gnunet.git/tree/NEWS?h=v0.25.1

The GPG key used to sign is: 3D11063C10F98D14BD24D1470B0998EF86F59B6A

Note that due to mirror synchronization, not all links may be functional early after the release. For direct access try https://ftp.gnu.org/gnu/gnunet/

BOSTON, Massachusetts, USA (Monday, September 22, 2025) — The Free Software Foundation (FSF) today announced the addition of Alexandre Oliva to its board of directors after a three month trial period.

GNU Parallel 20250922 ('Iryna Zarutska') has been released. It is available for download at: lbry://@GnuParallel:4

Quote of the month:

  GNU parallel is awesome. Use it more often in your scripts!
    -- Wade @WadeGrimshire@twitter

New in this release:

• No new features.
• Bug fixes and man page updates.

GNU Parallel - For people who live life in the parallel lane.

If you like GNU Parallel record a video testimonial: Say who you are, what you use GNU Parallel for, how it helps you, and what you like most about it. Include a command that uses GNU Parallel if you feel like it.

About GNU Parallel

GNU Parallel is a shell tool for executing jobs in parallel using one or more computers. A job can be a single command or a small script that has to be run for each of the lines in the input. The typical input is a list of files, a list of hosts, a list of users, a list of URLs, or a list of tables. A job can also be a command that reads from a pipe. GNU Parallel can then split the input and pipe it into commands in parallel.

If you use xargs and tee today you will find GNU Parallel very easy to use as GNU Parallel is written to have the same options as xargs. If you write loops in shell, you will find GNU Parallel may be able to replace most of the loops and make them run faster by running several jobs in parallel. GNU Parallel can even replace nested loops.

GNU Parallel makes sure output from the commands is the same output as you would get had you run the commands sequentially. This makes it possible to use output from GNU Parallel as input for other programs.

For example you can run this to convert all jpeg files into png and gif files and have a progress bar:

  parallel --bar convert {1} {1.}.{2} ::: *.jpg ::: png gif

Or you can generate big, medium, and small thumbnails of all jpeg files in sub dirs:

  find . -name '*.jpg' |
    parallel convert -geometry {2} {1} {1//}/thumb{2}_{1/} :::: - ::: 50 100 200

You can find more about GNU Parallel at: http://www.gnu ... rg/s/parallel/

You can install GNU Parallel in just 10 seconds with:

    $ (wget -O - pi.dk/3 || lynx -source pi.dk/3 || curl pi.dk/3/ || \
       fetch -o - http://pi.dk/3 ) > install.sh
    $ sha1sum install.sh | grep c555f616391c6f7c28bf938044f4ec50
    12345678 c555f616 391c6f7c 28bf9380 44f4ec50
    $ md5sum install.sh | grep 707275363428aa9e9a136b9a7296dfe4
    70727536 3428aa9e 9a136b9a 7296dfe4
    $ sha512sum install.sh | grep b24bfe249695e0236f6bc7de85828fe1f08f4259
    83320d89 f56698ec 77454856 895edc3e aa16feab 2757966e 5092ef2d 661b8b45
    b24bfe24 9695e023 6f6bc7de 85828fe1 f08f4259 6ce5480a 5e1571b2 8b722f21
    $ bash install.sh

Watch the intro video on http://www.youtub ... L284C9FF2488BC6D1

Walk through the tutorial (man parallel_tutorial). Your command line will love you for it.

When using programs that use GNU Parallel to process data for publication please cite:

O. Tange (2018): GNU Parallel 2018, March 2018, https://doi.org/1 ... 81/zenodo.1146014.

If you like GNU Parallel:

• Give a demo at your local user group/team/colleagues
• Post the intro videos on Reddit/Diaspora*/forums/blogs/ Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists
• Get the merchandise https://gnuparall ... igns/gnu-parallel
• Request or write a review for your favourite blog or magazine
• Request or build a package for your favourite distribution (if it is not already there)
• Invite me for your next conference

If you use programs that use GNU Parallel for research:

• Please cite GNU Parallel in you publications (use --citation)

If GNU Parallel saves you money:

• (Have your company) donate to FSF https://my.f ... .org/donate/

About GNU SQL

GNU sql aims to give a simple, unified interface for accessing databases through all the different databases' command line clients. So far the focus has been on giving a common way to specify login information (protocol, username, password, hostname, and port number), size (database and table size), and running queries.

The database is addressed using a DBURL. If commands are left out you will get that database's interactive shell.

When using GNU SQL for a publication please cite:
hh
O. Tange (2011): GNU SQL - A Command Line Tool for Accessing Different Databases Using DBURLs, ;login: The USENIX Magazine, April 2011:29-32.

About GNU Niceload

GNU niceload slows down a program when the computer load average (or other system activity) is above a certain limit. When the limit is reached the program will be suspended for some time. If the limit is a soft limit the program will be allowed to run for short amounts of time before being suspended again. If the limit is a hard limit the program will only be allowed to run when the system is below the limit.

I would like to thank Giuseppe Scrivano for maintaining GNU gcal up to now and I am pleased to take the wheel now.

I am happy to also announce the release of version 4.2.0 of gcal.

Besides making GNU gcal compilable with gcc15, this release is basically a bug fix release. It contains fixes for bugs reported on the bug-gcal mailing list and filed in the Debian BTS (Bug Tracking Sytem).

While becoming the GNU gcal maintainer on savannah went very well, it was not possible to give me upload rights for GNU ftp server. As I am not confident that I get access to the server in the near future, I am publishing the new version at:

https://www.alteh ... gcal-4.2.0.tar.gz
https://www.alteh ... gcal-4.2.0.tar.xz

and the GPG detached signatures using the key 79DED521FD7B916F726130A6250D40F0A6A2C5C8:

https://www.alteh ... -4.2.0.tar.gz.sig
https://www.alteh ... -4.2.0.tar.xz.sig


Major changes in release 4.2

• New entry added for Good Friday as Czech holiday.
• New entry added for Good Friday as Hungarian holiday.
• New entry added for Three Kings Day in Poland since 2011.
• Print note in case of starting-day different from monday and --iso-week-number is set to yes.
• No longer report Christmas day as the 26th in Idaho.
• No longer report Christmas day as the 26th in Ohio.

Libtoolers!

The Libtool Team is pleased to announce the release of libtool 2.6.0, a alpha release.

GNU Libtool hides the complexity of using shared libraries behind a
consistent, portable interface. GNU Libtool ships with GNU libltdl, which
hides the complexity of loading dynamic runtime libraries (modules)
behind a consistent, portable interface.

There have been 68 commits by 19 people in the 43 weeks since 2.5.4.

See the NEWS below for a brief summary.

Thanks to everyone who has contributed!
The following people contributed changes to this release:

  Anthony Mallet (1)
  Bruno Haible (2)
  Christian Feld (1)
  Collin Funk (1)
  Elizabeth Figura (1)
  Evgeny Grin (1)
  Frédéric Bérat (1)
  Gleb Popov (1)
  Ileana Dumitrescu (47)
  Julien ÉLIE (1)
  Karl Berry (1)
  Kirill Makurin (1)
  Manoj Gupta (1)
  Martin Storsjö (1)
  Michael Haubenwallner (2)
  Mintsuki (1)
  Mitch (1)
  Pierre Ossman (2)
  Takashi Yano (1)

Ileana
 [on behalf of the libtool maintainers]
==================================================================

Here is the GNU libtool home page:
    https://gnu. ... g/s/libtool/

Here are the compressed sources:
  https://alpha.gnu ... tool-2.6.0.tar.gz   (2.1MB)
  https://alpha.gnu ... tool-2.6.0.tar.xz   (1.1MB)

Here are the GPG detached signatures:
  https://alpha.gnu ... -2.6.0.tar.gz.sig
  https://alpha.gnu ... -2.6.0.tar.xz.sig

Use a mirror for higher download bandwidth:
  https://www.gnu.o ... rg/order/ftp.html

Here are the SHA1 and SHA256 checksums:

  File: libtool-2.6.0.tar.gz
  SHA1 sum:   681b41409762acb07232d7af7c289cc8a2f851c9
  SHA256 sum: ac9d4b8e072aa20d030d5ae039aba3b52bd7967b09e0c21f91f3e3dc1bbb8755

  File: libtool-2.6.0.tar.xz
  SHA1 sum:   dff32acab30a9262d19c3559092c2415b6a2b23e
  SHA256 sum: 69e6d28ae880fda08e0dc080ef2e38077ea2765a0d84e1afcfcfe1e605c911ac

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify libtool-2.6.0.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   rsa4096 2021-09-23 [SC]
        FA26 CA78 4BE1 8892 7F22  B99F 6570 EA01 146F 7354
  uid   Ileana Dumitrescu <ileanadumi95@protonmail.com>
  uid   Ileana Dumitrescu <ileanadumitrescu95@gmail.com>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key ileanadumi95@protonmail.com

  gpg --recv-keys 6570EA01146F7354

  wget -q -O- 'https://savannah. ... ol&download=1' | gpg --import -

As a last resort to find the key, you can try the official GNU
keyring:

  wget -q https://ftp.gnu.o ... u/gnu-keyring.gpg
  gpg --keyring gnu-keyring.gpg --verify libtool-2.6.0.tar.gz.sig

This release is based on the libtool git repository, available as

  git clone https://git.savan ... g/git/libtool.git

with commit e40fdc22cf727fb885f9df7d9affa827e3253d1c tagged as v2.6.0.

For a summary of changes and contributors, see:

  https://git.sv.gn ... shortlog;h=v2.6.0

or run this command from a git-cloned libtool directory:

  git shortlog v2.5.4..v2.6.0

This release was bootstrapped with the following tools:
  Autoconf 2.72e
  Automake 1.18.1
  Gnulib 2025-07-29 f0773a994eb75ceeeb44e39145c842044357a1ad

NEWS

• Noteworthy changes in release 2.6.0 (2025-09-18) [alpha]

** New features:

  - Add a new tool, libtool-next-version, to guide users through updating
    library versions.

  - Add tagging for Objective-C and Objective-C++, OBJC and OBJCXX.

  - Increase 5 digit limit on revision value for libraries to 19 digits,
    which is referencing Unix epoch time in nanoseconds.

  - Add configuration options to choose whether to use '-nostdlib' to let
    the compiler frontend decide what standard libraries to link when
    building C++ shared libraries and modules, --enable-cxx-stdlib and
    --disable-cxx-stdlib.

  - Allow statically linking GCC and Clang compiler support libraries
    into shared libraries.

  - Add linking clang_rt static archives compiler internal libraries by
    their absolute path.

  - Set 'mklink' as the symlinking tool for MSVC.

  - Pass '--target' architecture flag for Clang.

  - Support MSYS and MSYS2 file path conversions.

** Bug fixes:

  - Fix wrongly deduplicated compiler dependencies on linux.

  - Fix NetBSD postdeps for shared libraries.

  - Fix statically linking dependencies into shared C++ libraries when
    utilizing clang builtins or g++ options like, -static-libstdc++, by
    using a new configuration option, --enable-cxx-stdlib.

  - Ensure *-linux-mlibc host matches to mlibc userland rather than
    matching to GNU/Linux and similar userlands.

  - Fix hang with cmd.exe in MSYS.

  - For MSVC, fix mishandling compiler flags, symlinking, cl.exe '.exp'
    extension collision, symbol names, and numerous testsuite bugs.

  - Fix undeclared reference to access on Windows in libltdl.

  - Fix flang -Wl flags on FreeBSD.

  - Fix reordering '--as-needed' flag.

  - Fix libltdl early failures for multi-arch.

** Changes in supported systems or compilers:

  - Support additional Intel OneAPI compilers, 'icx', 'icpx', and 'ifx'.

  - Support ML64 (Microsoft Macro Assembler).


Enjoy!

The initial injustice of proprietary software often leads to further injustices: malicious functionalities.

The introduction of unjust techniques in nonfree software, such as back doors, DRM, tethering, and others, has become ever more frequent. Nowadays, it is standard practice.

We at the GNU Project show examples of malware that has been introduced in a wide variety of products and dis-services people use everyday, and of companies that make use of these techniques.

Here are our latest additions

August 2025

Google's Software is Malware

• Google has announced the inclusion of a “security” measure in Android “smartphones,” which will require any software installed in certified Android devices to come from a developer who has gone through Google's new developer verification program.

The problem here is not that there's a system that provides trust on the origin of the software. A system like that might be useful, but the end user should still be able to select which organization provides that service, or maybe set up such an organization or renounce the service altogether.

Making this verification exclusive to Google makes us question which is the threat here. Is it a user installing malware inadvertently? Or is it the user installing software that makes Google lose money?

• Academic researchers have published an attack that led Google's supposed “intelligence” [*] to obey malicious commands to manipulate devices in the user's home.

Giving Google control of your devices, or control of your own computing that you do on their servers, inevitably makes you vulnerable to Google.

This announcement shows that the vulnerability includes third-party crackers [**] too.

The article says that the crack discoverers worked with Google to “mitigate“ the danger. What, concretely, does “mitigate“ mean here? Probably in this case it is a weasel word to suggest fixing a problem without claiming to have fixed it.

[*] Let's not call these systems “artificial intelligence.” Intelligence is something they do not have.

[**] Please note that the article wrongly refers to crackers as “hackers.”

July 2025

Malware in Mobile Devices

• Samsung disabled the option to unlock the bootloader in the new version of its proprietary Android distribution, making it impossible for users to install a third-party operating system on their mobile devices. This takes away people's right to run the system of their choice (which we hope is a free/libre system), and to extend the life of their device once Samsung stops supporting its software.

libgnunetchat 0.6.0 released

We are pleased to announce the release of libgnunetchat 0.6.0.
This is a minor new release bringing compatibility with the major changes in latest GNUnet release 0.25.0. A few API updates and fixes are included. Additionally the messaging client applications using libgnunetchat got updated to stay compatible. This release will also require the GNUnet services from version 0.25.0 or later because of that.

Download links

• libgnunetchat-0.6.0.tar.gz
• libgnunetchat-0.6.0.tar.gz.sig

The GPG key used to sign is: 3D11063C10F98D14BD24D1470B0998EF86F59B6A

Note that due to mirror synchronization, not all links may be functional early after the release. For direct access try http://ftp.gnu.org/gnu/gnunet/

Noteworthy changes in 0.6.0

• Fixes issues regarding group creation, leaving chats and invitations
• Improving latency by reducing message graph complexity caused by automated event handling

A detailed list of changes can be found in the ChangeLog .

Messenger-GTK 0.11.0

This minor release will add private chats to write notes to yourself and minor changes in the user interface. But mostly the release is intended to reflect changes in libgnunetchat 0.6.0.

Download links

• messenger-gtk-0.11.0.tar.gz
• messenger-gtk-0.11.0.tar.gz.sig

Keep in mind the application is still in development. So there may still be major bugs keeping you from getting a reliable connection. But if you encounter such issue, feel free to consult our bug tracker at bugs.gnunet.org .

A detailed list of changes can be found in the ChangeLog .

messenger-cli 0.4.0

This release will add changes to be compatible with libgnunetchat 0.6.0 and it will add some text prompts in dialogs to improve overall usability.

• messenger-cli-0.4.0.tar.gz
• messenger-cli-0.4.0.tar.gz.sig

A detailed list of changes can be found in the ChangeLog .

o Fix potential sensor reading miscalculation on systems where a char is defined as unsigned (such as ARM) vs signed (such as x86).
o Fix gcc15 compilation errors.

https://ftp.gnu.o ... pmi-1.6.16.tar.gz

Dear community

The GNU Health Hospital Information System 5.0.2 patchset has been released!

Patchset 5.0.2 is a small, "cosmetic" update to the main 5.0.1 bundle. It basically updates the version number on tryton.conf so it reflects on the modules list.


For completeness sake, I will just copy over the 5.0.1 post in here:

Dear community

I am happy to announce that the GNU Health Hospital Information System 5.0.1 patchset has been released!

Packages updated

• health core
• dentistry

If you use the vanilla / standard installation, you can update the server and the dependencies from the gnuhealth control center (https://docs.gnuh ... ontrolcenter.html)

Backup

As usual, before you upgrade your instance, make sure you have made a backup of your DB instance and "attach" resource !

Note about Matplotlib

We have simplified the dependency list and include matplotlib in it, so no need to look for the package at OS level. That said, Matplotlib is a complex package and we had run into issues installing it in FreeBSD from PyPi in the past. Please report if you find any issue, specially in the update process or in the chart generation context.

Happy hacking ❤️

Changelog for 5.0.2

b3a972cb3 (HEAD -> main, tag: 5.0.2, origin/main, origin/HEAD) Merge branch 'patchset/5.0.2'
510cb4b4f (origin/patchset/5.0.2, patchset/5.0.2) Update Changelog
6486b79b0 Fix bug #144. Update release version on tryton.conf

Changelog for 5.0.1

a55eb3eed (HEAD -> main, tag: 5.0.1, origin/main, origin/HEAD) Merge branch 'patchset/5.0.1'
a6c6020b3 (origin/patchset/5.0.1, patchset/5.0.1) Update Changelog and patchset version to 5.0.1
c64117947 (bugfix/5.0.1) health: pyproject.toml Unpin pillow and pytz dependencies
9b7ffeb5d tryton/health/pyproject.toml: use pillow>=10.1.0
e3190ac09 Update version in health and health_dentistry. Update Changelog
0a64fa240 Remove pillow dependency from lab and dentistry since it's already core gnuhealth package
82a847af4 Merge pull request 'missing commas' (#140) from joseagrc/his:main into bugfix/5.0.1
2653b45a0 Merge pull request 'Remove unused dependencies from health module' (#133) from ced/his:health-deps into bugfix/5.0.1
c52c673c3 Wrong cursor field teeth
721ff65e7 missing commas
2bee11109 Remove unused dependencies from health module


For a more detailed list, please go to our project page at Codeberg:
https://codeberg. ... eleases/tag/5.0.1

by Bohdan Potuzhnyi

9 September 2025 Unifont 17.0.01 is now available.  This is a major release to align with Unicode 17.0.0.

- Updates to synchronize Unifont with Unicode 17.0.0 release, including the addition of new script ranges Sidetic, Sharada Supplement, Tolong Siki, Beria Erfe, Miscellaneous Symbols Supplement, and Tai Yo.

- All Arabic glyphs introduced in Unicode 17.0.0.

- Updates and additions to many ideographs in the first list of the second round of simplified Chinese characters.

- Updates to many other glyphs; see ChangeLog for details.

- All C programs are now configured to compile cleanly with the GCC flags "-std=c99", "-Wall", and "-pedantic".  This should allow compilation with all versions of GCC from GCC 4.2.1 (the last version with a GPLv2 license) to the latest.  GCC 4.2.1 compiles C99 sources, but not by default and so requires the "-std=c99" flag to compile hex2otf.c.

- The unifont.info Texinfo file is now installed in $(PREFIX)/share/info compressed with "gzip -9" by default.

Download this release from GNU server mirrors at:

     https://ftpmirror ... /unifont-17.0.01/

or if that fails,

     https://ftp.gnu.o ... /unifont-17.0.01/

or, as a last resort,

     ftp://ftp.gnu.org ... /unifont-17.0.01/

These files are also available on the unifoundry.com website:

     https://unifoundr ... /unifont-17.0.01/

Font files are in the subdirectory

     https://unifoundr ... 0.01/font-builds/

A more detailed description of font changes is available at

      https://unifoundr ... nifont/index.html

and of utility program changes at

      https://unifoundr ... nt-utilities.html

Information about Hangul modifications is at

      https://unifoundr ... hangul/index.html

and

      http://unifoundry ... l-generation.html

Enjoy!

Earlier today I joined Prot for an episode of his Prot Asks series, where he talks to folks about Emacs and life in general. We talked about free software, free knowledge, the importance of community and the commons, and life in Canada.

See the episode’s page on Prot’s website for the video recording, Prot’s summary of our chat, and the links I shared after our call. You can also watch the recording embedded below.

I really enjoyed our chat today and time went by very quickly. Thanks again for having me, Prot!

Take care, and so long for now.

The video recording is Copyright © 2025 Protesilaos Stavrou and Amin Bandali, and is licensed under CC BY-SA 4.0.

A security issue, CVE-2025-59378, has been identified in guix-daemon, which allows for a local user to gain the privileges of any of the build users and subsequently use this to manipulate the output of any build. In the case of the rootless daemon, this also means gaining the privileges of guix-daemon. All systems are affected, whether or not guix-daemon is running with root privileges. You are strongly advised to upgrade your daemon now (see instructions below).

The only requirements to exploit this are the ability to create and build an arbitrary derivation that has builtin:download as its builder, and to execute a setuid program on the system in question. As such, this represents an increased risk primarily to multi-user systems, but also more generally to any system in which untrusted code may be able to access guix-daemon's socket, which is usually located at /var/guix/daemon-socket/socket.

Vulnerability

guix-daemon currently supports two so-called built-in builders for derivations: builtin:download and builtin:git-download. Their primary utility is currently to circumvent bootstrapping challenges in code-downloading derivations (that is, "how does one get the programs that are used to download programs?") by using "host-side" programs for this purpose.

In particular, download and git-download are currently implemented in the (guix scripts perform-download) module, which can be run as a standalone program using guix perform-download. At the time that perform-download was written, it was believed to be sufficient for security purposes to ensure that it was run by a build user, and so one of the user-supplied values (the file named by the derivation's content-addressed-mirrors environment variable) was read and evaluated as arbitrary Guile code.

This suffices to protect a regular user from an untrusted derivation they may be building, since all processes owned by the build user will be killed at the end of the build, before any other build can be run that uses the same build user. It does not suffice, however, to protect the daemon's build users – and by extension the integrity of the daemon's builds – from a regular user. In particular, a content-addressed-mirrors file can be written to create a setuid program that allows a regular user to gain the privileges of the build user that runs it even after the build has ended. This is similar in impact to CVE-2025-46416, though using a somewhat different mechanism.

Mitigation

This security issue has been fixed by 3 commits (2a33354, f607aaa, and 9202921) as part of pull request #2419. Users should make sure they have upgraded to commit 1618ca7 or any later commit to be protected from this vulnerability. Upgrade instructions are in the following section.

The fix was accomplished by changing (guix scripts perform-download) to evaluate the content-addressed-mirrors file in a Guile isolated environment, as well as verifying that this file and the others that perform-download reads is neither outside of the store nor a symbolic link to a file outside of the store, so that this cannot be used to cause arbitrary files (such as /proc/PID/fd/N) to be read. Measures were also taken to ensure that calls to read never cause code to be evaluated.

A test for the presence of this vulnerability is available at the end of this post. One can run this code with:

guix repl -- content-addressed-mirrors-vuln-check.scm

This will output whether the current guix-daemon being used is vulnerable or not. If it is not vulnerable, the last line will contain guix-daemon is not vulnerable and guix repl will exit with status code 0, otherwise the last line will contain guix-daemon is VULNERABLE and guix repl will exit with status code 1.

Upgrading

Due to the severity of this security advisory, we strongly recommend all users to upgrade guix-daemon immediately.

For Guix System, the procedure is to reconfigure the system after a guix pull, either restarting guix-daemon or rebooting. For example:

guix pull
sudo guix system reconfigure /run/current-system/configuration.scm
sudo herd restart guix-daemon

where /run/current-system/configuration.scm is the current system configuration but could, of course, be replaced by a system configuration file of a user's choice.

For Guix on another distribution, one needs to guix pull with sudo, as the guix-daemon runs as root, and restart the guix-daemon service, as documented. For example, on a system using systemd to manage services, run:

sudo --login guix pull
sudo systemctl restart guix-daemon.service

Note that for users with their distro's package of Guix (as opposed to having used the install script) you may need to take other steps or upgrade the Guix package as per other packages on your distro. Please consult the relevant documentation from your distro or contact the package maintainer for additional information or questions.

Conclusion

Test for presence of vulnerability

Below is code to check if your guix-daemon is vulnerable to this exploit. Save this file as content-addressed-mirrors-vuln-check.scm and run following the instructions above, in "Mitigation."

(use-modules (guix monads)
             (guix derivations)
             (guix gexp)
             (guix store)
             (guix utils)
             (guix packages)
             (srfi srfi-34))

(define %test-filename
  "/tmp/content-addressed-mirrors-vulnerable")

(define %test-content-addressed-mirrors
  `(begin
     (mkdir ,%test-filename)
     (exit 33)))

(define %test-content-addressed-mirrors-file
  (plain-file "content-addressed-mirrors"
              (object->string %test-content-addressed-mirrors)))

(define (test-content-addressed-mirrors content-addressed-mirrors)
  (mlet %store-monad ((content-addressed-mirrors
                       (lower-object content-addressed-mirrors)))
    (raw-derivation "content-addressed-mirrors-vuln-check"
                    "builtin:download"
                    '()
                    #:hash
                    (base32
                     "dddddddddddddddddddddddddddddddddddddddddddddddddddd")
                    #:hash-algo 'sha256
                    #:sources (list content-addressed-mirrors)
                    #:env-vars `(("url" . "/doesnotexist")
                                 ("content-addressed-mirrors"
                                  . ,content-addressed-mirrors))
                    #:local-build? #t)))

(with-store store
  (let ((drv (run-with-store store (test-content-addressed-mirrors
                                    %test-content-addressed-mirrors-file))))
    (guard (c ((and (store-protocol-error? c)
                    (string-contains (store-protocol-error-message c) "failed"))
               (cond
                ((file-exists? %test-filename)
                 (format #t "content-addressed-mirrors can evaluate arbitrary code, guix-daemon is VULNERABLE~%")
                 (exit 1))
                (else
                 (format #t "content-addressed-mirrors can't create files, guix-daemon is not vulnerable~%")
                 (exit 0)))))
      (build-derivations store (list drv)))))

GNU Parallel 20250822 ('Петропавловск') has been released. It is available for download at: lbry://@GnuParallel:4

Quote of the month:

  gnuparallel is sacred Unix magic
    -- Dr. Dylan Beaudette, Soil Scientis ‪@dylanbeaudette.bsky.social

New in this release:

• No new features.
• Bug fixes and man page updates.

GNU Parallel - For people who live life in the parallel lane.

If you like GNU Parallel record a video testimonial: Say who you are, what you use GNU Parallel for, how it helps you, and what you like most about it. Include a command that uses GNU Parallel if you feel like it.

About GNU Parallel

GNU Parallel is a shell tool for executing jobs in parallel using one or more computers. A job can be a single command or a small script that has to be run for each of the lines in the input. The typical input is a list of files, a list of hosts, a list of users, a list of URLs, or a list of tables. A job can also be a command that reads from a pipe. GNU Parallel can then split the input and pipe it into commands in parallel.

If you use xargs and tee today you will find GNU Parallel very easy to use as GNU Parallel is written to have the same options as xargs. If you write loops in shell, you will find GNU Parallel may be able to replace most of the loops and make them run faster by running several jobs in parallel. GNU Parallel can even replace nested loops.

GNU Parallel makes sure output from the commands is the same output as you would get had you run the commands sequentially. This makes it possible to use output from GNU Parallel as input for other programs.

For example you can run this to convert all jpeg files into png and gif files and have a progress bar:

  parallel --bar convert {1} {1.}.{2} ::: *.jpg ::: png gif

Or you can generate big, medium, and small thumbnails of all jpeg files in sub dirs:

  find . -name '*.jpg' |
    parallel convert -geometry {2} {1} {1//}/thumb{2}_{1/} :::: - ::: 50 100 200

You can find more about GNU Parallel at: http://www.gnu ... rg/s/parallel/

You can install GNU Parallel in just 10 seconds with:

    $ (wget -O - pi.dk/3 || lynx -source pi.dk/3 || curl pi.dk/3/ || \
       fetch -o - http://pi.dk/3 ) > install.sh
    $ sha1sum install.sh | grep c555f616391c6f7c28bf938044f4ec50
    12345678 c555f616 391c6f7c 28bf9380 44f4ec50
    $ md5sum install.sh | grep 707275363428aa9e9a136b9a7296dfe4
    70727536 3428aa9e 9a136b9a 7296dfe4
    $ sha512sum install.sh | grep b24bfe249695e0236f6bc7de85828fe1f08f4259
    83320d89 f56698ec 77454856 895edc3e aa16feab 2757966e 5092ef2d 661b8b45
    b24bfe24 9695e023 6f6bc7de 85828fe1 f08f4259 6ce5480a 5e1571b2 8b722f21
    $ bash install.sh

Watch the intro video on http://www.youtub ... L284C9FF2488BC6D1

Walk through the tutorial (man parallel_tutorial). Your command line will love you for it.

When using programs that use GNU Parallel to process data for publication please cite:

O. Tange (2018): GNU Parallel 2018, March 2018, https://doi.org/1 ... 81/zenodo.1146014.

If you like GNU Parallel:

• Give a demo at your local user group/team/colleagues
• Post the intro videos on Reddit/Diaspora*/forums/blogs/ Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists
• Get the merchandise https://gnuparall ... igns/gnu-parallel
• Request or write a review for your favourite blog or magazine
• Request or build a package for your favourite distribution (if it is not already there)
• Invite me for your next conference

If you use programs that use GNU Parallel for research:

• Please cite GNU Parallel in you publications (use --citation)

If GNU Parallel saves you money:

• (Have your company) donate to FSF https://my.f ... .org/donate/

About GNU SQL

GNU sql aims to give a simple, unified interface for accessing databases through all the different databases' command line clients. So far the focus has been on giving a common way to specify login information (protocol, username, password, hostname, and port number), size (database and table size), and running queries.

The database is addressed using a DBURL. If commands are left out you will get that database's interactive shell.

When using GNU SQL for a publication please cite:

O. Tange (2011): GNU SQL - A Command Line Tool for Accessing Different Databases Using DBURLs, ;login: The USENIX Magazine, April 2011:29-32.

About GNU Niceload

GNU niceload slows down a program when the computer load average (or other system activity) is above a certain limit. When the limit is reached the program will be suspended for some time. If the limit is a soft limit the program will be allowed to run for short amounts of time before being suspended again. If the limit is a hard limit the program will only be allowed to run when the system is below the limit.